Researcher develops ransomware attack that targets water supply

A security researcher is showing that it’s not hard to hold industrial control systems for ransom. He's experimented with a simulated water treatment system based on actual programmable logic controllers (PLCs) and documented how these can be hacked.

David Formby, a PhD student at Georgia Institute of Technology, conducted his experiment to warn the industry about the danger of poorly-secured PLCs. These small dedicated computers can be used to control important factory processes or utilities, but are sometimes connected to the internet.

For instance, Formby found that 1,500 of these industrial PLCs are accessible online, he said while speaking at the RSA cybersecurity conference on Monday. It's not hard to imagine a hacker trying to exploit these exposed PLCs, he added. Cybercriminals have been infecting businesses across the world with ransomware, a form of malware that can hold data hostage in exchange for bitcoin.

For a hacker, holding an industrial control system hostage can also be lucrative, and far more devastating for the victim.

“He (the hacker) can threaten to permanently damage this really sensitive equipment,” Formby said. “For example, a power grid transformer can take months to repair.”

Ideally, industrial PLCs should be “air-gapped” or segregated from the internet. But often times, they’re connected to other computers that are frequently online. Or they're accessible from a third-party vendor, who’s been hired to maintain them over the internet, Formby said.

In addition, these PLCs are often old, and weren’t built with online security features in mind. For instance, there’s nothing to protect them from brute-force password attacks or to prevent the use of weak passwords, Formby said.

To demonstrate the risks, Formby designed a simulated water treatment plant, built with actual industrial PLCs that will control the flow of water and chlorine into a storage tank (a YouTube video can be found here).

In a month's time he developed a ransomware-like attack to control the PLCs to fill the storage tank with too much chlorine, making the water mix dangerous to drink. Formby also managed to fool the surrounding sensors into thinking that clean water was actually inside the tank.

A hacker wanting to blackmail a water utility could take a same approach, and threaten to taint the water supply unless paid a ransom, he warned.

Real-world water treatment systems are more sophisticated than the generic one he designed, Formby said. However, poorly-secured PLCs are being used across every industry, including in oil and gas plants and manufacturing.

Most of these PLCs he found that were accessible online are located in the U.S., but many others were found in India and China, he said.

Formby recommends that industrial operators make sure they understand which systems connect to the internet, and who has control over them. He’s also set up a company designed to help operators monitor for any malicious activity over their industrial control systems.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.